redu icon indicating copy to clipboard operation
redu copied to clipboard
verified publisher icon drdo

Virus detected in redu-0.2.12-windows-x86_64.zip by a small number of scanners

Open tomwaldnz opened this issue 1 year ago • 10 comments

I want to give redu a try, but when I downloaded it Windows Defender reported a virus - Trojan:Script/Wacatac.C!ml. Kaspersky online scan says the file is fine, . However, the VirusTotal scan says Kaspersky detected a virus but 66 other vendors didn't.

It's probably a false positive, but I thought it worth mentioning to be looked into.

Windows Defender Windows Defender

Virus Total Virus Total

In comparison v0.2.11 scans fine

Virus Total Scan 0.2.11 Virus Total Scan 0.2.11

tomwaldnz avatar Apr 19 '25 21:04 tomwaldnz

Hello,

Thank you for reporting this.

I'm not entirely sure what to do about it here, that binary was built by the Github action that is on this repo. There is the possibility of some foul play from either Github Actions or one of redu's dependencies I suppose.

But I would be more inclined to bet on broken anti-virus software.

drdo avatar Apr 19 '25 22:04 drdo

I agree it's likely a false positive, but by reporting it you can look into it :)

tomwaldnz avatar Apr 19 '25 22:04 tomwaldnz

Image

CrowdStrike is labeling it as possibly malicious, too. I can't use it at work because of this and it does make a person hesitate to use it. Maybe you can figure out what is triggering it and fix it.

clifton-nav avatar Apr 22 '25 15:04 clifton-nav

Could you check if it's still happening for 0.2.13? Just wondering because I updated some dependencies as well for this version.

I checked with VirusTotal and Kaspersky online for 0.2.13 and both report it clean.

drdo avatar Apr 22 '25 15:04 drdo

Yes, I had just installed that version this morning, but I can ask for details. This came from my security officer in an email.

clifton-nav avatar Apr 22 '25 15:04 clifton-nav

Interestingly, I don't see a version on it. Is there a way to see it from the CLI?

Image

clifton-nav avatar Apr 22 '25 16:04 clifton-nav

I can send you a little more info in a private message. Where would I do that?

clifton-nav avatar Apr 22 '25 16:04 clifton-nav

Interestingly, I don't see a version on it. Is there a way to see it from the CLI?

Image

redu --version

drdo avatar Apr 22 '25 16:04 drdo

I can send you a little more info in a private message. Where would I do that?

I'm on Libera with nick drdo if that's convenient for you.

drdo avatar Apr 22 '25 16:04 drdo

Windows Defender still finds the same trojan in 0.2.13. Based on the two scanners below saying it's fine I suspect it's a false positive. I submitted the earlier version to Microsoft to analyze, hopefully they will fix it at some point.

Virus Total says it's clean

Image

Kaspersky says it's clean too.

Image

tomwaldnz avatar Apr 22 '25 20:04 tomwaldnz